Agenda of Audit and Risk Committee

Audit and Risk Committee - 06 December 2018 - Open Agenda Item 2

2. Proposed Audit and Risk Committee 2019 Meeting Calendar

Type of Report:	Operational
Legal Reference:	N/A
Document ID:	433409
Reporting Officer/s & Unit:	Caroline Thomson, Chief Financial Officer

2.1 Purpose of Report

To consider the proposed timetable of meetings for the Audit and Risk Committee in 2018, as detailed below.

Officer’s Recommendation

That the Audit and Risk Committee:

a. Receive the proposed timetable of meetings for the Audit and Risk Committee for 2019.

Chairperson’s Recommendation

That the Committee resolve that the officer’s recommendation be adopted.

2.2 Background Summary

The following table sets out the meetings held during 2018 together with the proposed schedule for meetings for 2019:

Proposed Audit and Risk Committee meetings timetable 2019
2018	Content	2019	Content
15 March 2018	Insurance, Draft Long Term Plan	14 March 2019	Insurance, Draft Annual Plan
14 June 2018	General	13 June 2019	General
13 September 2018	Draft Annual Report	12 September 2019	Draft Annual Report
6 December 2018	General	5 December 2019	General

2.3 Issues

No issues

2.4 Significance and Consultation

N/A

2.5 Implications

Financial

N/A

Social & Policy

N/A

Risk

N/A

2.6 Attachments

Nil

Audit and Risk Committee - 06 December 2018 - Open Agenda Item 4

4. Risk Management Report

Type of Report:	Information
Legal Reference:	N/A
Document ID:	433414
Reporting Officer/s & Unit:	Ross Franklin, Consultant

4.1 Purpose of Report

To provide the Audit and Risk Committee (Committee) with an update on progress with risk management work and to report on the highest rated risks.

Officer’s Recommendation

That the Audit and Risk Committee:

a. Note the risk management work being undertaken by the NCC Risk Committee.

b. Receive the report titled: Highest rated risks report 24 September 2018.

c. Receive the report titled; NCC Risk Maturity Roadmap: 5 Year Plan

Chairperson’s Recommendation

That the Committee resolve that the officer’s recommendations be adopted.

4.2 Background Summary

Napier City Council (NCC) has a programme of work to develop and mature its enterprise risk capability. A risk maturity roadmap has been developed to guide this work.

The Committee supports this work by acting in a monitoring and advisory role. This report provides an update to the Committee on progress against the roadmap and reports the highest rated risks to ensure they are being actively managed.

NCC has a Risk Management Framework document together with a Risk Management Strategy. These document set out the NCC risk appetite and the risk management roles, responsibilities and reporting requirements.

NCC risks are recorded in a risk management software solution known as “Sycle”. Each risk is assigned a risk owner and the risk is rated based on an assessment against the NCC risk matrix and based on the level of residual risk once any control measures and actions (or work programmes) designed to prevent or mitigate the risk have been identified and implemented.

NCC has an internal Risk Committee made up of officers from different areas of the organisation. The role of the risk committee is to coordinate the risk management process; monitor the risk profile, risk appetite and effectiveness of controls; monitor & review high and extreme risks and report extreme and high risks to Council’s senior leadership team. The committee is chaired by the Manager Business Excellence & Transformation.

The Risk Management Strategy requires high and extreme risks to be reported to the Audit & Risk Committee. Recognising the level or NCC risk maturity all high\extreme strategic risks and extreme operational risks are reported to each Audit & Risk Committee meeting.

4.3 Issues

Since our last report to the Committee progress has continued to be made in the following areas:

· Further development of the Sycle Projects module

· Commencement of a Business Continuity Management programme of work

· Review risk processes, systems and of the risk register

Sycle Projects Module

As reported to the last meeting work is progressing on the implementation of the projects module in Sycle.

Once implemented, all small and large projects undertaken by NCC will be maintained in the Projects module and the risks for each project will be entered against the project.

As small and large project risks will be monitored within Sycle it has been recognised that to include all project risks within the formal risk management processes could result in an unnecessary volume of low level project risks clogging up the register. Prior to ‘going live” with the sycle projects module a further review will take place on the best mechanism of reporting on any significant project risks. Until we have confidence that only relevant risks on major projects would roll up into the main register reporting to the Committee will continue to focus only on risks in the Strategic and Operational risk registers.

Full implementation of the Projects module is now expected to be achieved by the end of March 2019.

Business Continuity Management

As reported to the last meeting we have commenced our Business Continuity Management (BCM) work in early 2018. The aim of BCM is to achieve a framework for resilience and response capability in order to safeguard people and operations as well as to uphold confidence in NCC. An initial draft of a BCM policy has been prepared as the first part of the framework and work has commenced on the next stage which is a business impact analysis.

The BCM framework responds to the strategic risk SR5 – ‘Event causing disruption or destruction of critical business functions and/or production and delivery of council services’.

Review of the Risk Register

As set out in the risk roadmap, regular review of risk, risk controls and risk treatments are critical to effective risk management. Sycle allows us to set review dates for each of these risk components.

The bulk load of risks into Sycle took place in July 2017. As most risks in the register were part of the bulk load they have all been scheduled for review.

We have identified some areas we the data and risk reporting needs refinement. This includes taking the opportunity, now that we have improved our knowledge of risk management, to progressively review and refine what we have in the register. This requires others, as well as the risk owner, to review each risk to determine whether:-

· The risk description adequately describes the risk

· The correct officer has been assigned to be responsible for the risk

· The risk rating is still correct

The intended risk management process is for the individual risk owners to review their risks on an ongoing basis, however this time we believe we should take a little more time to ensure we are comfortable with all the base data in the register. This means additional support needs to be provided and the process to complete the review of all overdue risks will take a little longer. The benefit should be an improvement in the quality of data within the risk registers.

Once round of reviews is complete we can again focus on embedding the practice, of regular reviews of all risks into the normal business practices and move NCC along the risk maturity scale in the roadmap.

Review of the Corporate Risk Management Framework and NCC Risk Management Strategy

As reported to the last meeting work is underway to review these key risk documents. We expect to be able to present a new Risk Management Policy (to replace the current Risk Management Framework document) and updated risk management strategy to the committee in early 2019.The Framework was first adopted in 2015 and an updated Framework document was adopted in April 2017. In April 2017 the Risk Management Strategy was approved as the underlying document for the Sycle risk management module. The framework is a higher-level policy document while the Strategy is a more detailed “how to” strategy document to guide staff when they are recording and managing risks in the Sycle module.

The current documents were prepared\reviewed at the time staff were identifying the initial organisational risks to be loaded into the Sycle module. Now that the system has been in operation for a year it is a good time to have a closer look at the documents and identify any improvements that can be made.

Risk Maturity Roadmap

The NCC Risk maturity Roadmap has been updated and is attached. New comments to show recent progress have been added in red text.

Regional Collaboration

A regional risk management forum has been set up where risk managers for a range of organisations within Hawkes’ Bay can meet and share information. A meeting was held on 15^th November and this included representations form other non-council organisations. This meeting was followed by a meeting of Council representatives facilitated by H B LASS to explore opportunities for collaboration between the councils. While it is early days with these forums any opportunities to enhance the knowledge base within NCC through shared learning can only be beneficial for risk management at NCC going forward.

1.4 Highest rated risks

There are currently 5 strategic and 177 operational risks in the risk register. (Project risks have been excluded from reporting). In addition there are approximately 650 control measures that have been identified to prevent or mitigate the risks that have been identified in the registers. In addition there are 80 actions or programmes of work that have been identified to help manage and mitigate risks in the register. 4 of these actions or programs of work have been completed and the rest of these are still in varying stages of completion.

No risks have been added to or removed from the registers since the last meeting of the Committee.

There are seven risks to report to the Committee as the highest rated risks; three are operational risks rated Extreme (OR155, OR164 and OR 178) and four are strategic risks rated High (SR2, SR3, SR5 and SR6).

These risks are reported in the attached spreadsheet and they are the same as reported to the last meeting (Attachment A).

All seven risks have treatment actions to further manage the causes or consequences of each risk.

Extreme Risks

The Extreme risks in the operational risk register are:

· OR155 Pandora Pond – customer drowning

· OR164 Bluff Hill – fall from cliff top

· OR178 Reliance on monopoly contractors for waste management

These risks were previously reported to you on 19 July and they have not changed. The Pandora Pond facility is currently closed for the winter season and measures will be put in place to mitigate some of the risk prior to the Summer opening, and a project to replace the fence around the cliff top is currently being commissioned.

Work is underway to identify effective control measures to mitigate the waste management risk.

High Risks

The four high risks in the strategic register are:

· SR2 Removal of three waters delivery and management

· SR3 Increased number and/or severity of major/natural disaster events

· SR5 Event causing disruption or destruction of critical business functions and/or production and delivery of council services.

· SR 6 Risk management practices

These risks were previously reported to you on 11 October and have not changed. The risks are outside the control of NCC. The risks treatments listed against these risks are ongoing.

4.4 Significance and Consultation

There are no significance or consultation requirements associated with this report.

4.5 Implications

Financial

There are no financial implications

Social & Policy

There are no social and policy implications apart from the management of the Councils risk management framework and strategy.

Risk

This report focuses on organisational risk. The purpose is to advise the committee on NCC risk management practices and on high strategic and high and extreme operational risks.

4.6 Options

The options available to the committee are as follows:

a. Receive the report and attachments

b. Receive the report and attachments and request additional information

4.7 Development of Preferred Option

The preferred option is for the committee to receive the report and attachments

4.8 Attachments

a Report on Highest Rated Risks ⇩

b Risk Maturity Roadmap ⇩

Audit and Risk Committee - 06 December 2018 - Open Agenda Item 5

5. Internal Audit Programme 2018/19

Type of Report:	Operational
Legal Reference:	Local Government Act 2002
Document ID:	671251
Reporting Officer/s & Unit:	Caroline Thomson, Chief Financial Officer

5.1 Purpose of Report

To table to the Committee the internal audit programme for 2017/18 and 2018/19 from Crowe Horwath. Recommendations, feedback and any other review priorities the Committee deems relevant, is sought.

Officer’s Recommendation

That the Audit and Risk Committee:

a. Resolve that the internal audit programme for 2017/18 and 2018/19 from Crowe Horwath is received.

Chairperson’s Recommendation

That the Committee resolve that the officer’s recommendation be adopted.

5.2 Background Summary

In June 2017 Council engaged Crowe Horwath for the provision of internal audit services for an initial contract term of three years. The following table sets out the internal audit programme for 2017/18 and 2018/19:

Internal audit	Status
Cash handling – i-Site, Kennedy park, MTG	Completed September 2017
Cash handling – Transfer Station	Completed September 2017
Data analytics	Completed November 2017
Fraud workshop	Completed November 2017
Enforcement and inspection review	Completed July 2018
Fraud workshop	Completed September 2018
Accounts receivable and credit control	Draft report received – November 2018
Sensitive expenditure	In progress – November 2018
Contract management	Planned for February 2019
Data analytics	Planned for April 2019
Follow up activities	Planned for May 2019

5.3 Issues

No Issues

5.4 Significance and Engagement

N/A

5.5 Implications

Financial

N/A

Social & Policy

N/A

Risk

N/A

5.6 Attachments

Nil

Audit and Risk Committee - 06 December 2018 - Open Agenda

Audit and Risk Committee

Open Minutes

Meeting Date:	Thursday 11 October 2018
Time:	1.00pm – 1.33pm
Venue	Council Chamber Hawke's Bay Regional Council 159 Dalton Street Napier

Present

John Palairet (In the Chair), Mayor Bill Dalton, Geoff Foster, Councillor Claire Hague, and Councillor Kirsten Wise

In Attendance

Stephen Lucy – Audit New Zealand

Director Corporate Services, Director Infrastructure Services, Director City Strategy [from 1.14pm], Chief Financial Officer, Manager Property [from 1.14pm], Accounting Consultant/ Acting Risk Manager

Administration

Governance Team

Apologies

Nil

Conflicts of interest

Nil

Public forum

Nil

Announcements by the Mayor

Nil

Announcements by the Chairperson

Nil

Announcements by the management

Nil

Confirmation of minutes

Councillors Wise / Hague

That the Minutes of the meeting held on 19 July 2018 were taken as a true and accurate record of the meeting.

Carried

Agenda Items

1. Health and Safety Report

Type of Report:	Operational
Legal Reference:	Health and Safety at Work Act 2015
Document ID:	433376
Reporting Officer/s & Unit:	Sue Matkin, Manager People & Capability

1.1 Purpose of Report

The purpose of this report is to provide Audit and Risk with an overview of the health and safety performance as at 31^st August 2018.

At the Meeting

The Manager People and Capability spoke to the report, noting that in the period to 31 August 2018 there had been one Lost Time Injury (LTI) – the lost time being a couple of days – and an incident involving a contractor at the MTG. Both matters had been followed up with appropriate actions. It was also noted that in the month of September there had been another LTI involving as cleaner, and an incident involving a contractor digging around power cables without the correct permit. The Contractor was issued with a notice and retrained. It is believed that the current lag indicator for LTIs is set at an appropriate level for the organisation.

A strong focus is currently being placed on employee health and wellbeing with a number of events being arranged in the months leading up to the December break that will be made available to attend.

Other current actions underway include the creation of a central log for all chemicals and their safety information, including the appropriate personal protection equipment to use if handling.

Council has performed well in the recent Health and Safety related audits undertaken.

Specific attention is not currently given to supporting Local Government staff through difficult interactions with the public; however this may be addressed indirectly through some of the wellness programmes underway.

Although all new staff are drug tested prior to beginning work, this is not a requirement for Elected Members. Council would have to resolve that they wished to undertake the same testing as staff for this to be implemented.

Committee’s Recommendation

Councillors Wise / Hague

a. That the committee receive the report.

Carried

2. Risk Management Report

Type of Report:	Information
Legal Reference:	N/A
Document ID:	433390
Reporting Officer/s & Unit:	Ross Franklin, Consultant Rachael Horton, Manager Business Excellence & Transformation

2.1 Purpose of Report

To provide the Audit and Risk Committee (Committee) with an update on progress with risk management work and to report on the highest rated risks.

At the Meeting

The acting risk manager spoke to the report, noting that there are two new risks for the last period: reliance on a sole contractor for waste management, and the strategic risk that in the time that the organisation is moving to full maturity in its risk management that not all risks may be covered despite all best efforts. A review of existing risks and mitigations is underway to ensure that all are still relevant.

It was noted that Pandora Pond remains an extreme risk due to the serious nature of the possible consequences. Further signage has been erected as part of the mitigating actions. It is only a risk as it is a recreational space that Council provides equipment for.

The Committee requested that an update on the risk roadmap be brought to its next meeting.

Committee’s Recommendation

Councillors Taylor / Wise

That the Committee:

a. Note the risk management work being undertaken by the NCC Risk Committee.

b. Receive the report titled: Highest rated risks report 24 September 2018.

Carried

PUBLIC EXCLUDED ITEMS

Councillors Wise / Hague

That the public be excluded from the following parts of the proceedings of this meeting, namely:

1. Draft Annual Report 2017/18

2. Freeholding

3. Legal update as at 30 June 2018

Carried

The general subject of each matter to be considered while the public was excluded, the reasons for passing this resolution in relation to each matter, and the specific grounds under Section 48(1) of the Local Government Official Information and Meetings Act 1987 for the passing of this resolution were as follows:

General subject of each matter to be considered.	Reason for passing this resolution in relation to each matter.	Ground(s) under section 48(1) to the passing of this resolution.
1. Draft Annual Report 2017/18	7(2)(f)(ii) Maintain the effective conduct of public affairs through the protection of such members, officers, employees and persons from improper pressure or harassment	48(1)A That the public conduct of the whole or the relevant part of the proceedings of the meeting would be likely to result in the disclosure of information for which good reason for withholding would exist: (i) Where the local authority is named or specified in Schedule 1 of this Act, under Section 6 or 7 (except 7(2)(f)(i)) of the Local Government Official Information and Meetings Act 1987.
2. Freeholding	7(2)(i) Enable the local authority to carry on, without prejudice or disadvantage, negotiations (including commercial and industrial negotiations)	48(1)A That the public conduct of the whole or the relevant part of the proceedings of the meeting would be likely to result in the disclosure of information for which good reason for withholding would exist: (i) Where the local authority is named or specified in Schedule 1 of this Act, under Section 6 or 7 (except 7(2)(f)(i)) of the Local Government Official Information and Meetings Act 1987.
3. Legal update as at 30 June 2018	7(2)(i) Enable the local authority to carry on, without prejudice or disadvantage, negotiations (including commercial and industrial negotiations)	48(1)A That the public conduct of the whole or the relevant part of the proceedings of the meeting would be likely to result in the disclosure of information for which good reason for withholding would exist: (i) Where the local authority is named or specified in Schedule 1 of this Act, under Section 6 or 7 (except 7(2)(f)(i)) of the Local Government Official Information and Meetings Act 1987.

The meeting moved into committee at 1.33pm

Approved and adopted as a true and accurate record of the meeting.

Chairperson .............................................................................................................................

Date of approval ......................................................................................................................

Committee Members	John Palairet (In the Chair), Mayor Bill Dalton, Geoff Foster, Councillor Claire Hague and Councillor Kirsten Wise
Officer Responsible	Director Corporate Services
Administration	Governance Team